Interviews
Enterprise IT Departments Are Having to Rethink Their Approach to Security

Steve Foster, the Head of Solutions Engineering for MEA at Netskope, says early adopter organizations have already moved to architectures like SASE and SSE, that better support a Zero Trust approach
How has the Zero Trust Network Architecture evolved since it was first coined in 2010?
Since its introduction as a counterpoint to the implicit trust that exists on the internet, Zero Trust has become well-recognised as a methodology requiring explicitly proven trust before access is allowed. Recently it has evolved from a singular concept into a broad set of terms used so much and so widely that it has almost lost its meaning. Our field CTO Steve Riley was actually the first person to use the phrase Zero Trust Network Access (ZTNA) – when he was an analyst at Gartner – but ZTNA has also evolved over recent years.
Originally it championed the idea of “trust nothing”, but it is now better suited to practical use, driving towards the idea of “trust nothing without adequate and continuous authorization”. Fundamentally, ZTNA takes us from the perimeter-based security model where – once you are through the perimeter – you have open access to everything, to an access model that requires users, devices, and applications to continually prove they are authorised before accessing only the specific resources they have been allowed.
Do you believe that technologies that support zero trust are moving into the mainstream?
When we see global government entities and national security organisations mandating Zero Trust architectures we know the technology is moving mainstream – and that is exactly what is happening at the moment. Two of the key technology architectures for supporting a zero-trust approach to network and application access are SASE and SSE. While traditional perimeter security tools are still available, they are an investment in legacy technologies.
Early adopter organizations have already moved to architectures like SASE and SSE, that better support a Zero Trust approach, and now we are starting to see a majority of organizations doing likewise. This is a sure sign that the technologies supporting a Zero Trust architecture are now mainstream.
Do you believe that enterprise IT departments today require a new way of thinking because the castle itself no longer exists in isolation as it once did?
Enterprise IT departments are having to rethink their approach to security in a world where locking everything down is no longer an option. Users, applications, data, networks – everything was once able to be hermetically sealed against both infiltration and exfiltration, but this is no longer the case.
Security and networking architectures are all being swiftly rethought with a view to enablement rather than restriction. The question IT departments are asking themselves is; how do we provide access without losing all security, or how do we maintain security without limiting productivity? It’s that quest for balance between access and security that is the new tension.
How can companies get started with zero trust?
Zero Trust can seem like an impossibly large project, so I always suggest identifying a starting point where you can make the most impact as quickly as possible. The enterprise perimeter is where the most current risk lies, so I recommend focussing on ZTNA for access to internal resources, where micro-segmentation will prevent lateral movement between resources. Once you have implemented ZTNA, move on to other initiatives to extend a Zero Trust approach throughout your technology infrastructure. For example, pilot a remote browser isolation solution, scan all data at rest in the public cloud for external shares, and start scanning containers that your developers are creating for new apps.
Industry experts have warned that cyber-attacks will be focused on techniques that zero trust controls can’t mitigate. What according to you can be done to address this?
Adopting a Zero Trust approach would be beneficial in mitigating wider cyber risks, but it is important to understand there are always limits to any security measure. With this in mind, it’s important to identify and shore up any blind spots.
Ensuring you have Multi-Factor Authentication in place and removing administrator rights on all end-user devices are good starts, but make sure you also know where your most valuable assets are, and segment them off from the wider network so you can limit any damage if there is a breach elsewhere. You could also make sure you are not exposing them to the outside (directly on the internet) instead of putting them behind a ZTNA wall which will limit what damage a cyber-attack can do.
What according to you are the limitations of zero trust?
Because Zero Trust is not a product, it can’t be bought and installed in one sitting to mitigate cyberrisks. For this reason, it is likely to be rolled out as separate projects leaving gaps that could be exploited. Unwinding existing legacy technologies as part of a migration to Zero Trust can also leave some points of exposure. These can of course be mitigated by picking the right projects to start your journey with (start small and scale slowly), while always keeping the principles of Zero Trust in mind.
Interviews
Zero Trust is Not a One-Time Project

Deepa Kuppuswamy, the Director of Security at Zoho, says the technologies supporting Zero Trust are very much in mainstream adoption
How has the Zero Trust Network Architecture evolved since it was first coined in 2010?
In the cybersecurity domain, Zero Trust is no more a buzzword, it is a decade-old concept that has been evolving for a while. It started as a concept introduced in 2010 in a Forrester research, by 2014 we had Google’s Beyondcorp initiative which reimagined the security architecture and was one of the earliest enterprise deployments of the Zero trust. In 2019 we saw the expansion of Zero Trust to SASE and ZTNA.
The pandemic period was when Zero Trust gained major traction fueled by the aspects of fast-paced digital transformation, and shift to cloud, and remote work. We also saw the evolution of standards and regulations related to Zero Trust – NIST published SP 800-207 as a unified framework for establishing Zero Trust architecture and last year we have the US government executive order mandating the adoption of Zero Trust principles for federal agencies.
Do you believe that technologies that support zero trust are moving into the mainstream?
The basic building blocks for implementing Zero Trust revolve around user identity management and device trust and identity. The technology solutions in these domains like SSO, MFA, Cloud-based directory services, PAM, Unified endpoint management, MDM, EDR, and XDR are already well mature and are an existing part of the security stack of many organizations.
The other crucial component of the Zero Trust Network Access (ZTNA) is the policy decision engine and policy enforcement engine. We have many existing security vendors extending their existing stack to provide agent-based or gateway-based ZTNA architecture solutions. The technologies supporting Zero Trust are very much in mainstream adoption.
Do you believe that enterprise IT departments today require a new way of thinking because the castle itself no longer exists in isolation as it once did?
Today’s digital-first enterprises are no longer operating within the confines of a traditional network perimeter. Apps are
everywhere and users are everywhere. With more than 80% of organisations adopting a cloud strategy, the business apps are hosted outside the organization network boundary.
The hybrid model of work is here to stay, and employees want seamless access to the business apps without any difference in experience based on the location from which they connect. BYOD is becoming a norm, with business data being accessed from personal devices that have lower security postures.
The traditional method of using network location, ownership, and control of physical assets as parameters for implicit trust is a flawed security paradigm. “Never Trust, Always Verify” should be the philosophy the IT department should internalise, implement and practice. Traditional tools like VPN are not designed to support remote access of this scale and do not offer flexible options for adaptive access control. It is imperative that the IT and Security departments work together to reinvent the security architecture in line with the current evolving business models.
How can companies get started with zero trust?
Moving from theory to practice has been challenging with Zero trust. To many organizations, zero-trust implementation is seen as a huge, expensive, and complex project. As it touches everything from user to device to network it involves various stakeholders within the organization. What works out practically is to start small, start from where you are, and start with what you have as the current technology stack.
To initiate zero-trust implementation, organizations can start by defining a strategy and baseline prior to embarking on a wider zero-trust technology implementation. There should be an overall phased approach – Assess, focus on the top critical use cases, break into smaller achievable milestones, implement, and optimize over time.
We followed what we call the “Crawl, Walk, and Run” approach in our organization. The initial crawl phase involved strengthening the identity and device pillar focusing on the below activities
a.Implement SSO
b.Enforce MFA
c.Enrol corporate devices in UEM and MDM
d.Conditional access based on device certificates
This served as a good starting point and helped us to show the value early on to the users and the various stakeholders.
Industry experts have warned that cyber-attacks will be focused on techniques that zero trust controls can’t mitigate. What according to you can be done to address this?
Zero trust is not a single silver bullet solution to all your security risks. There are other areas outside the scope of Zero trust like API security, hardware and software vulnerabilities, insider threats, and supply chain attacks. Multi-layered approach and defence in-depth controls are very much needed besides implementing Zero Trust. Security awareness training, incident response planning, regular monitoring and patching of systems and applications, comprehensive SOC capabilities, and threat intelligence are required to tackle the current cybersecurity challenges faced by organizations.
What according to you are the limitations of zero trust?
Zero Trust as a cybersecurity paradigm is a great evolution, but where we see limitations are in the practical implementation and deployment. With any new security model we experience challenges as the scope is expanded we try to increase the granularity of controls. Zero trust is not immune to this.
Zero trust is not a one-time project, it is a continuous journey toward better security. It is also not a one size fits all approach. Not every organization can follow the exact Beyondcorp approach, the strategy, and roadmap need to be evolved according to the business need. Organizations should build a solid strategy and plan and invest in resources and people to succeed with Zero Trust.
Interviews
Zero Trust Will Become Even More Widely Adopted

Debanjali Ghosh, the Technical Evangelist at ManageEngine, says companies are adopting various technologies to improve their security posture and reduce the risk of a breach (more…)
Interviews
“Don’t Be Afraid to Speak Up”

Julie Davila, the Vice President of Global Field CTO Operations at Sophos, says that to start a career in cybersecurity, review the different aspects of the field to get an overview
(more…)